Here is a summary of what customers and phishers have to face since september:
In fact, because it makes checking recent transactions that much less convenient, it probably made me less safe because I do it much less often.
U2F is a useful method, but it's not common at all (even in IT most companies don't provide it, not even the website we're on right now, nor PayPal), and it's not understandable how this isn't "proper 2FA".
In addition, the directive requiring the purpose of the code to be fixed and shown aside it, either in the app generating it, or in the push notification, is a very useful security aspect which most other 2FA solutions miss — even U2F can't differentiate between a login and a transaction authorization.
Other solutions are either or. There is a benefit to confirming particular actions (with the info about the action) in the app but it's unnecessarily inconvenient for mere login.
U2F isn't widely supported but I managed to secure virtually my entire high-value Internet presence with it. Google, OVH, Coinbase, and Stripe all support it. Let's be honest, for HN I wouldn't bother with any second factor. I have the password saved in the browser and that's more than enough.
So an attacker would need to alter the image (simple) and cause a collision (hopefully difficult) or somehow abuse an error in the reader firmware.
It seems there is now a QR variant of that (which increases the attack surface since now it has to understand a more complex data format).
If my bank would have had me install an App or use SMS 2FA I would have kindly asked them to .... off (or, if they think their "2FA" is safe, just connect their mobile phones to this totally unsuspicious looking USB device).
ChipTAN on wikipedia: